Recipe 4.1 Viewing the RootDSE
4.1.1 Problem
You want to view attributes
of the RootDSE, which can be useful for
discovering basic information about a forest, domain, or domain
controller.
4.1.2 Solution
4.1.2.1 Using a graphical user interface
Open LDP. From the menu, select
Connection Connect. For Server, enter a domain controller, domain name, or leave blank to
do a serverless bind. For Port, enter 389. Click OK. The contents of the RootDSE will be shown in the right pane.
4.1.2.2 Using a command-line interface
> enumprop "LDAP://RootDSE"
4.1.2.3 Using VBScript
' This code prints the attributes of the RootDSE
set objRootDSE = GetObject("LDAP://RootDSE")
objRootDSE.GetInfo
for i = 0 to objRootDSE.PropertyCount - 1
set strProp = objRootDSE.Item(i)
WScript.Echo strProp.Name & " "
for each strPropval in strProp.Values
WScript.Echo " " & strPropval.CaseIgnoreString
next
next
4.1.3 Discussion
The RootDSE was originally defined in RFC 2251 as part of the LDAPv3
specification. It is not part of the Active Directory namespace per
se. It is a synthetic object that is maintained separately by each
domain controller.
The RootDSE can be accessed anonymously, and in fact, none of the
three solutions used credentials. In the CLI and VBScript solutions,
I used serverless binds against the RootDSE. In that case, the DC
Locator process is used to find a domain controller in the domain you
authenticate against. This can also be accomplished with LDP by not
entering a server name from the Connect dialog box.
The RootDSE is key to writing portable AD-enabled applications. It
provides a mechanism to programmatically determine the distinguished
names of the various naming contexts among other things, which means
you do not need to hardcode that information in scripts and programs.
Here is an example from LDP when run against a Windows Server
2003-based domain controller:
ld = ldap_open("dc01", 389);
Established connection to dc01.
Retrieving base DSA information . . .
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 05/26/2003 15:29:42 Pacific Standard Time Pacific Daylight Time;
1> subschemaSubentry:CN=Aggregate,CN=Schema,CN=Configuration,DC=rallencorp,DC=com;
1> dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com;
5> namingContexts: DC=rallencorp,DC=com; CN=Configuration,DC=rallencorp,DC=com;
CN=Schema,CN=Configuration,DC=rallencorp,DC=com;
DC=DomainDnsZones,DC=rallencorp,DC=com; DC=ForestDnsZones,DC=rallencorp,DC=com;
1> defaultNamingContext: DC=rallencorp,DC=com;
1> schemaNamingContext: CN=Schema,CN=Configuration,DC=rallencorp,DC=com;
1> configurationNamingContext: CN=Configuration,DC=rallencorp,DC=com;
1> rootDomainNamingContext: DC=rallencorp,DC=com;
21> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.
1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.
840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.
4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.
840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.
113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.
1852; 1.2.840.113556.1.4.802;
2> supportedLDAPVersion: 3; 2;
12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer;
InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration;
MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;
1> highestCommittedUSN: 53242;
4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
1> dnsHostName: dc01.rallencorp.com;
1> ldapServiceName: rallencorp.com:dc01$@RALLENCORP.COM;
1> serverName: CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com;
3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.
113556.1.4.1791;
1> isSynchronized: TRUE;
1> isGlobalCatalogReady: TRUE;
1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
4.1.3.1 Using VBScript
All attributes of the RootDSE were retrieved and displayed.
Typically, you will need only a few of the attributes; in which case,
you'll want to use Get or
GetEx as in the following example:
strDefaultNC = objRootDSE.Get("defaultNamingContext")
Or if want to get an object based on the distinguished name (DN) of
one of the naming contexts, you can call GetObject
using an ADsPath:
set objUser = GetObject("LDAP://cn=administrator,cn=users," & _
objRootDSE.Get("defaultNamingContext") )
4.1.4 See Also
RFC 2251, MS KB 219005 (Windows 2000: LDAPv3 RootDSE), MSDN:
IADsPropertyEntry, MSDN: IADsProperty Value, MSDN: IADs::Get, and MSDN:
IADs::GetEx
|